PATRIOT Act and privacy laws take a bite out of US cloud business

European IT companies are using uncertainty about the US's surveillance laws …

While there are plenty of technical and functional concerns that have slowed adoption of public cloud computing and software-as-a-service, American companies trying to sell their cloud services outside the US or to large multinational organizations have another handicap to overcome: the USA PATRIOT Act. European, Asian, and Canadian data privacy rules and concern about US surveillance of data crossing international boundaries have even been used to market European data centers' services. Today, ComputerWeekly reported that BAE Systems had ditched Microsoft Office 365 over PATRIOT Act concerns, because Microsoft could not guarantee the company's data wouldn't leave Europe.

Microsoft's managing director in the UK, Gordon Frazer, made that admission in June at the Office 365 launch in London. After researching the PATRIOT act, Microsoft found that regardless of where data was stored, it could not ensure that data would not be turned over to the US government as the result of a National Security Letter or other government request, because the company is governed by US law.

"The PATRIOT Act has come to be a kind of label for [privacy] concerns," Ambassador Phillip Verveer, the State Department's coordinator for international communications and information policy, said in a recent interview with Politico. Verveer said that some European cloud providers are "taking advantage of a misperception" of PATRIOT to cut American companies out of potential business, "and we'd like to clear up that misperception." The "misperception" has become a big enough problem for major tech firms that the Obama administration is making a diplomatic effort to allay fears about US data surveillance.

Section 217 of the PATRIOT act permits government interception of the "communications of a computer trespasser" if the owner of a "protected computer" authorized that surveillance. The law's definition of "protected computer" includes systems "used in interstate or foreign commerce or communication." The Electronic Privacy Information Center's analysis of the provision found it is so broad that "protected computer" could be interpreted to mean any computer, essentially giving the government warrantless search authority if its owner—or a service provider—agrees. PATRIOT also authorizes warrantless interception of communication between or among "foreign powers," which includes foreign political organizations.

Using the PATRIOT Act as a counter-marketing tool to US data services isn't anything new. Starting in 2004, a series of laws were passed or amended in Canadian provinces, preventing Canadian citizens' personal data from being stored outside Canada. The changes came in the wake of protests over the outsourcing of British Columbia's health insurance system to Maximus by the British Columbia Government Employees Union. BCGEU campaigned against the deal on the grounds that if Maximus, a US-based company, took over Medicare, "British Columbians' personal medical records could be accessed by the Bush government under the U.S. Patriot Act."

One Canadian healthcare CIO told Ars that he wasn't even considering cloud solutions because it was widely assumed in Canada that any patient data put into cloud-based health IT systems from his US-based software provider would be scanned by the NSA.

Issues surrounding PATRIOT and other US laws—and how they conflict with European data privacy laws—"don't necessarily rule US cloud services out" for multinational organizations, Greg Mason, a partner at Forensic Risk Alliance, told Ars. But it does put serious restrictions and costs on the cloud provider, he said—"Where you actually collect, process, and store the data is a huge issue," both because customers don't want data brought back into the US and have it exposed to government surveillance, and storing it in the wrong jurisdiction could violate local privacy laws. Large public cloud services that provide email and other services—including Apple's iCloud—face the same issues.

European Commission Vice President and Justice Minister Viviane Reding made a point yesterday of calling out European cloud service providers for offering services that "shelter users from the US Patriot Act and other attempts by third countries to access personal data." In her speech at the European Data Protection and Privacy Conference in Brussels yesterday, Reding said, "We need a free flow of data between our continents, and it doesn't make much sense for us to retreat from each other." Reding is attempting to push forward an EU-wide set of regulations on data protection that would set a common standard across the continent, allowing data to be moved freely within the EU.

ZDNet's Zack Whitaker reports that the provisions of the new regulation will block PATRIOT Act provisions by revoking EU/US "safe harbor" regulations, forcing companies that do business in Europe to get "adequacy" statements from the data protection authority of the country where the data is primarily stored before transferring it. The rules would make it illegal for the US to invoke PATRIOT act measures to gain access to data stored in Europe. EU member states will be able to impose sanctions on companies that violated the rules up to a maximum of five percent of a company's total revenue.

But PATRIOT is just part of the problem—there's a wider mismatch between data protection standards in the US and Europe. Reding said that there still needed to be "substantial progress" to reach a data protection agreement between the EU and US that would ensure that Europeans' "rights are respected whenever their personal information is transmitted in Europe or over the Atlantic for law enforcement purposes." The Consumer Privacy Bill of Rights introduced in April by Senators John Kerry and John McCain raised hopes that there would be closer alignment between the EU and US on data privacy, but Reding said that it appears that the US will only put in place voluntary codes of conduct, and she is now worried that "US 'self-regulation' will not be sufficient" to allow data to move freely between Europe and the US.

58 Reader Comments

This is a real problem if you're trying to sell cloud products in Canada and you're American. Very few decision makers trust the US Government to NOT grab the data, even if they say they won't. So as soon as someone says that they can't guarantee the data won't leave Canada, the conversation is over. Google and Microsoft have both tried to pitch to us, and both times the whole thing died for the same reason.

Government workers who deal with agencies on the other side of the border are taking precautions like having a second laptop with nothing on it for those trips, for the same lack of trust reasons.

Rightly or wrongly, the perception is that the only way to keep with privacy laws is to keep it somewhere that the US Government can't get to it.

In the UK and most EU countries, there are strict regulations about the circumstances in which customer data can be allowed outside of the European Union. These rules affect anyone who collects and stores information about individuals such as client contact details from an shopping website.

The effect of these rules is that any business using US owned cloud storage is perceived as a potential risk. Even if the data centres are outside the US, if the company is US owned, the data is able to be pulled under the PATRIOT Act.

I`ve always found The Patriot Act to be a puzzling piece of legislation being that it was a brought in by the Republicans, a supposed party championing small government and individual freedom, but yet it gives the government sweeping powers to undermine and infringe on those very things.

I assume all my files in "the cloud" are being cataloged and looked at regardless of what anyone tells me. I just use Amazon's cloud storage and any personal information I store is encrypted. The rest are just media files that I don't care about anyone seeing.

Very few decision makers trust the US Government to NOT grab the data, even if they say they won't. Rightly or wrongly, the perception is that the only way to keep with privacy laws is to keep it somewhere that the US Government can't get to it.

Probably rightly.

Quote:

found it is so broad that "protected computer" could be interpreted to mean any computer, essentially giving the government warrantless search authority if its owner—or a service provider—agrees.

Given how quickly Amazon yielded on Wikileaks, it wouldn't surprise me at all if they have given the NSA authorization to scan their computers. And the NSA can request it without a warrant even if Amazon declined, and Amazon can't even announce that the NSA has made a request if the request came in the form of a National Security letter.

Actually, how are Google's plans coming along for those floating data centers?

Well this is fantastic! It puts the biggest companies in the world in direct opposition to government control. If they win data becomes more secure, if they lose the EU governments clamping down on this patriot act crap will skim off a nice percentage of the companies profits. Its win win!

I assume all my files in "the cloud" are being cataloged and looked at regardless of what anyone tells me. I just use Amazon's cloud storage and any personal information I store is encrypted. The rest are just media files that I don't care about anyone seeing.

That might work for you as an individual but if you're a corporation with a duty of care to staff, clients and investors/shareholders then that's not a solution. The solution in these cases is to avoid US based companies.

I`ve always found The Patriot Act to be a puzzling piece of legislation being that it was a brought in by the Republicans, a supposed party championing small government and individual freedom, but yet it gives the government sweeping powers to undermine and infringe on those very things.

I assume all my files in "the cloud" are being cataloged and looked at regardless of what anyone tells me. I just use Amazon's cloud storage and any personal information I store is encrypted. The rest are just media files that I don't care about anyone seeing.

That might work for you as an individual but if you're a corporation with a duty of care to staff, clients and investors/shareholders then that's not a solution. The solution in these cases is to avoid US based companies.

Yeah, my commentary was really geared towards my distrust of my own government and I totally agree with you. If I were a company based in the EU, I would use an EU vendor to supply my cloud computing needs.

"IT systems from his US-based software provider would be scanned by the NSA.". NSA has no oversight period. Therein lies the problem. And now, you can see them as intruding on business, not that they have not done so in the past but more and more public awareness is creeping in.

Others know better than to apply strong encryption to reduce the chances of unwarranted snooping. Besides, they cannot prevent remote viewers from seeing into their secrets, not that many have not done so.

I assume all my files in "the cloud" are being cataloged and looked at regardless of what anyone tells me. I just use Amazon's cloud storage and any personal information I store is encrypted. The rest are just media files that I don't care about anyone seeing.

That might work for you as an individual but if you're a corporation with a duty of care to staff, clients and investors/shareholders then that's not a solution. The solution in these cases is to avoid US based companies.

Yeah, my commentary was really geared towards my distrust of my own government and I totally agree with you. If I were a company based in the EU, I would use an EU vendor to supply my cloud computing needs.

There are more than a few people in the EU who are completely baffled by the extent that the USA seems to shoot itself in the foot these days. The US economy seems to be going down the pan and yet the government seems to be doing everything it can to make the country unattractive to invest in from the PATRIOT Act to the horrible experience for visiting foreign nationals at its borders to an immigration policy that makes it nearly impossible to bring in talent from outside the US border.

I sort of feel sorry for the declining empire that is the US, then I laugh a bit, then I feel conflicted.

I mean I'm sure that plenty of you would like to scrap the paranoia/over reaching approach to international relations that you have now. But then, on the other hand you have the tea party who I'm sure believe that it is manifest destiny or some other balls that the US should have rot like the PATRIOT act. As a nation you did vote George Bush in/ allow his election fraud to go unpunished.

Perhaps the east coast and Silicon Valley need to declare independence?

Anyway UK was there about 70 years ago and it took us decades to let go and find a place in the world. So I feel for you guys. (except for the fact that you were the ones making us think that we should still be an empire and artificially propping us up as a puppet state.)

I`ve always found The Patriot Act to be a puzzling piece of legislation being that it was a brought in by the Republicans, a supposed party championing small government and individual freedom, but yet it gives the government sweeping powers to undermine and infringe on those very things.

"Supposed" is the key word. Republicans love "small government" when the subject is stuff like health, pensions, and poor people. When you're talking about millitary and security stuff, government can't possibly be big enough.

I would not trust any secure data to US sites because of the judiciary has become a rubber stamp for servailence of local and especially foreign information. Providing no meaningful check on the excesses of the executive and legislative body. Until this is cleared up, I think this will be an ongoing problem.

I`ve always found The Patriot Act to be a puzzling piece of legislation being that it was a brought in by the Republicans, a supposed party championing small government and individual freedom, but yet it gives the government sweeping powers to undermine and infringe on those very things.

"Supposed" is the key word. Republicans love "small government" when the subject is stuff like health, pensions, and poor people. When you're talking about millitary and security stuff, government can't possibly be big enough.

"The Consumer Privacy Bill of Rights introduced in April by Senators John Kerry and John McCain raised hopes that there would be closer alignment between the EU and US on data privacy, but Reding said that it appears that the US will only put in place voluntary codes of conduct, and she is now worried that "US 'self-regulation' will not be sufficient" to allow data to move freely between Europe and the US. "

Oh c'mon, you don't trust the US Government to do the right thing and be able to self regulate itself? It's been working so well already, how could you even think that?

I`ve always found The Patriot Act to be a puzzling piece of legislation being that it was a brought in by the Republicans, a supposed party championing small government and individual freedom, but yet it gives the government sweeping powers to undermine and infringe on those very things.

It isn’t so puzzling once you see past the GOP marketing hype.

[Off-topic: as I understand it, it's not *just* the GOP, and in some respects, the Obama administration has sought more harsh control over electronic communication than even the Bush administration, but...]

t to the horrible experience for visiting foreign nationals at its borders

In fairness to them this has *vastly* improved in the last few years.I'm told a significant amount of money and time was spent on training in this area. I would say that it worked.

The TSA lot are still horrid but I don't see what they can do in the time they have. I would guess they have no option but to cut locks rather than use the (not so) fancy keys as it's likely faster and they either:

* stop checking all bags* delay departures* do whatever it takes to open the bags.

I`ve always found The Patriot Act to be a puzzling piece of legislation being that it was a brought in by the Republicans, a supposed party championing small government and individual freedom, but yet it gives the government sweeping powers to undermine and infringe on those very things.

What I've always found puzzling about it is that when given the opportunity the liberals not only didn't overturn it, they expanded it.

This affects us (we're forbidden to use US-based cloud providers for organisational data).

And even if

Quote:

"The rules would make it illegal for the US to invoke PATRIOT act measures to gain access to data stored in Europe. EU member states will be able to impose sanctions on companies that violated the rules up to a maximum of five percent of a company's total revenue."

I was under the impression that the whole catch-22 of the Patriot act was that you couldn't talk about requests made under it? So even if you know your customer's data has been compromised, you can't inform them. Unless you like jail, that it.

Time to scrap the PARANOID, errr, PATRIOT act. It serves absolutely no purpose, other than to allow the government to snoop things they have no business snooping.

As someone who runs a cloud-based software service for Canadians, it's been tough finding a reliable offsite backup company that isn't located in the US. Scrapping this absurd big brother nonsense would no doubt open up many business opportunities for American companies.

I always warn people considering cloud services that their data will be in the hands of a third party and is in many ways out of their control. That means the NSA can snoop on your data, a remote disaster can cut off access to it or destroy it, or your trusted cloud provider could get acquired by another not-so-trusted company.

All this is fine as long as you don't rely exclusively on the cloud for the storage of crucial data, and as long as that data isn't sensitive or confidential. But what good is a data solution that you can't trust with your most sensitive data?

Invasive security regulations are also adversely affecting US tourism. Speaking personally, I'd be much more interested in visiting the US if I weren't concerned that I'd be suspected of being an illegal immigrant/drug smuggler/terrorist. Our domestic airline security is already invasive enough to disincline me from flying if any other method of travel is practical, why visit a country with a history of shipping innocent Canadians off to Syria to be tortured?

[Off-topic: it's odd to think the 'founding fathers' weren't "patriots" (loyal to their 'own' country - GB), but rather, "rebels". They called themselves "Whigs". "The radical invents the views. When he has worn them out, the conservative adopts them." (Mark Twain)]

I find that hilarious that U.S. citizens, who's ancestors left Europe to look for a more free and less oppressive land/country, is not facing a more oppressive and controlling government then those who are still in Europe.

Your forefathers must be turning in their graves.---------------As a Canadian, I am not going to let my personal data have anything to do with American Data centres. I don't care what that Verveer guy says.

The fact is, the U.S. government and congress has the guts to put something like the Patriot Act into the law, who knows what the hell they'll pass next? (Hint: SOPA) It may be a "misinterpretation" right now, but with the current state of U.S., they can probably make it into the "right interpretation" with ease.

Face it, U.S. government has lost pretty much all of its street cred among the nations. You can say all the pretty things you want, but no one is going to trust you completely.

I`ve always found The Patriot Act to be a puzzling piece of legislation being that it was a brought in by the Republicans, a supposed party championing small government and individual freedom, but yet it gives the government sweeping powers to undermine and infringe on those very things.

What I've always found puzzling about it is that when given the opportunity the liberals not only didn't overturn it, they expanded it.

If your talking about the Democrats, they're almost as far right as the Rethuglicans. More accurately, the Democrats are the velvet on the Rethuglican's fist. There's precious few liberals left in congress.

It does. And the reason we know, is that officials have been sued, and condemned, for it.

Also, when it does, since this is illegal, the resulting evidence is indamissible in courts. In the US, you don't need courts anymore to detain people forever without judgment, anyways...

ilovedawkins wrote:

Perhaps the east coast and Silicon Valley need to declare independence?

Not a new idea... and one that is regularly floated, every now and then when people realize that California makes up a fifth of the US economy, and would be the 6th economic power in the world where it an independent country.Very unlikely, now, however, after decades of bad management of the state's finances have left it with a deficit bigger than yo mamma...

I`ve always found The Patriot Act to be a puzzling piece of legislation being that it was a brought in by the Republicans, a supposed party championing small government and individual freedom, but yet it gives the government sweeping powers to undermine and infringe on those very things.

What I've always found puzzling about it is that when given the opportunity the liberals not only didn't overturn it, they expanded it.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.